For those looking to manage mobile devices in tandem with Office 365, Microsoft provides a couple of different solutions. For data-specific considerations, RMS/IRM provides the capability to encrypt files so that unauthenticated users (e.g. non-employees or ex-employees) will not be able to open the file itself. For device-specific considerations, Intune provides Mobile Application Management policies that can restrict a user’s ability to fully navigate between managed and non-managed applications. For example, you can stop someone from opening an Excel spreadsheet in OneDrive for Business (OD4B) and saving it to their personal OneDrive app. The end-user experience is still not ideal, but there certainly is growing value to looking at Intune for device management. Let’s take a look at how to set it up.
1. Get an Intune tenant, tied to the related Office 365 tenant. There are 30-day demos available for Intune, as well as Office 365.
a. Create a security group with specifically defined users for testing ahead of time – my group is called Restricted. This will be used later for applying policies.
b. Follow the process here for preparing the manage mobile devices using Intune: http://technet.microsoft.com/library/dn408185.aspx
2. Publish software! Currently, there are only Software Management templates available for Android and iOS. Publishing software for iOS is easy:
a. First find the software you want to publish in the Apple App Store, then find the Copy Link option for that app. I am showing OWA for iPhone here, but Excel will be used for the Mobile Application Management demonstration.
b. Go to Software -> Managed Software -> Add Software to start the publishing wizard. Make sure “Managed iOS App from the App Store” is selected, and then add the link copied in the previous step.
c. Put in your preferred description for publishing, which will be seen in the Company Portal (where managed software is downloaded from). Icons will need to be provided (which can be kind of painful when publishing lots of applications). I’m displaying this as a featured app to ensure it is highlighted and easily found for end users.
d. Select which iOS devices the software can be installed on. The app store has some software that’s the same for iPhones and iPads (e.g. Excel), and some that’s not (e.g. OWA). This will prevent users from attempting to install unsupported software on the wrong device.
e. Complete the update – you can see here that I’ve added most of the Microsoft suite for the purposes of this demonstration (sorry, OneNote).
3. Create a new Mobile Application Management (MAM) policy – again, only available for Android and iOS at the time of this posting.
4. Configure your MAM policy – here’s the cool part! You can see I’m preventing backups to alternate locations, allowing only managed apps to transfer data to/from each other, preventing “Save As” to stop file type and/or file location changes and restricting cut, copy and paste outside of managed apps. At the time this posting, only Word, Excel and PowerPoint are supported in regards to Office apps, so keep that in mind when looking at options like PIN access (I set mine to No after taking these screen shots). Lastly of note, I’ve configured the access requirements to allow for 12 hours of offline access to managed application data before authentication is again required.
5. For iOS devices, to prevent document transfer between managed and unmanaged apps, you must also configure and deploy a mobile device security policy that disables the setting Allow managed documents in other unmanaged apps.
6. Deploy the new software to the Company Portal. Go back to Software -> Managed Software -> Manage Deployment and add the app to the newly created Configuration Policy. You can also see here that I’ve applied the settings to the Restricted group that I referred to back in Step 1:
7. If you want to force use of the Company Portal, ensure you have Conditional Access configured for Exchange Online. The Company Portal installation is the pre-requisite to ensuring compliance, which means that any user who has not installed the Company Portal will not have access to Exchange Online. Yes, currently this would technically allow for a user to access OD4B separately without conditional access, but SharePoint Online support will be available (it disappeared sometime between 12/15/14 and 12/16/14, but I’d expect it back up soon).
8. Enroll the device by installing the Company Portal app and log in. I will note that I was unable to connect using a federated account (using ADFS 2.0), so there are still some bugs to work out.
9. Install managed software – and bask in the glory of effective compliance!
Whoops! No apps show in the Company Portal! The only way I was able to get Managed Applications to work correctly was to force their installation through the individual deployments, and the only option available for Deadline was “As soon as possible”. This will force an immediate download on managed devices, which therefore requires careful consideration for data usage; my device waits until I’m on WiFi for large files, but that cannot be guaranteed in all BYOD scenarios.
Update (12/17/14): This (lack of) functionality is confirmed by Microsoft – current licensing issues are preventing publishing of Apple apps through the Company Portal. Resolution of this issue is in progress.
So it’s not all ironed out, but after forcing an Excel installation on my managed iPhone, the policy did work as configured. Notice I cannot Email, copy a link, nor Save to unmanaged locations:
Links for additional information/guidance: